summaryrefslogtreecommitdiffstats
path: root/security/apparmor/Kconfig
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2014-10-24 09:16:14 -0700
committerJohn Johansen <john.johansen@canonical.com>2016-07-12 08:43:10 -0700
commit6059f71f1e94486a51cef90e872add11fa7b5775 (patch)
treeab2c3f7e887584e678843347030f35aab7828074 /security/apparmor/Kconfig
parentbd35db8b8ca6e27fc17a9057ef78e1ddfc0de351 (diff)
downloadlinux-6059f71f1e94486a51cef90e872add11fa7b5775.tar.bz2
apparmor: add parameter to control whether policy hashing is used
Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
Diffstat (limited to 'security/apparmor/Kconfig')
-rw-r--r--security/apparmor/Kconfig21
1 files changed, 17 insertions, 4 deletions
diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
index 232469baa94f..be5e9414a295 100644
--- a/security/apparmor/Kconfig
+++ b/security/apparmor/Kconfig
@@ -31,13 +31,26 @@ config SECURITY_APPARMOR_BOOTPARAM_VALUE
If you are unsure how to answer this question, answer 1.
config SECURITY_APPARMOR_HASH
- bool "SHA1 hash of loaded profiles"
+ bool "Enable introspection of sha1 hashes for loaded profiles"
depends on SECURITY_APPARMOR
select CRYPTO
select CRYPTO_SHA1
default y
help
- This option selects whether sha1 hashing is done against loaded
- profiles and exported for inspection to user space via the apparmor
- filesystem.
+ This option selects whether introspection of loaded policy
+ is available to userspace via the apparmor filesystem.
+
+config SECURITY_APPARMOR_HASH_DEFAULT
+ bool "Enable policy hash introspection by default"
+ depends on SECURITY_APPARMOR_HASH
+ default y
+
+ help
+ This option selects whether sha1 hashing of loaded policy
+ is enabled by default. The generation of sha1 hashes for
+ loaded policy provide system administrators a quick way
+ to verify that policy in the kernel matches what is expected,
+ however it can slow down policy load on some devices. In
+ these cases policy hashing can be disabled by default and
+ enabled only if needed.